Restrict nsjail sysfs access for hwloc to improve security

Add targeted read-only mounts for hwloc (required by HPX library) while preventing security vulnerabilities: - Only expose cpu0/cpu1 topology and cache subdirectories (not full cpu dirs) - Block cpuidle counters that leak real-time system activity - Block node meminfo that exposes live memory usage of all users - All mounts are read-only to prevent modification - cpu1 and NUMA node mounts are optional for single-CPU systems This restricts information disclosure while maintaining hwloc functionality. Related to: https://github.com/compiler-explorer/compiler-explorer/pull/7899 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-12-27 10:33:59 -05:00 · 2025-10-24 14:40:56 +02:00
parent 75ba5bc308
commit 3a055ebd47
1 changed files with 81 additions and 0 deletions
--- a/etc/nsjail/user-execution.cfg
+++ b/etc/nsjail/user-execution.cfg
@@ -209,6 +209,87 @@ mount {
    is_bind: true
 }

+###
+# hwloc support (required by HPX library)
+
+mount {
+    src: "/sys/devices/system/cpu/online"
+    dst: "/sys/devices/system/cpu/online"
+    is_bind: true
+    rw: false
+}
+
+mount {
+    src: "/sys/devices/system/cpu/possible"
+    dst: "/sys/devices/system/cpu/possible"
+    is_bind: true
+    rw: false
+}
+
+mount {
+    src: "/sys/devices/system/cpu/cpu0/topology"
+    dst: "/sys/devices/system/cpu/cpu0/topology"
+    is_bind: true
+    rw: false
+}
+
+mount {
+    src: "/sys/devices/system/cpu/cpu0/cache"
+    dst: "/sys/devices/system/cpu/cpu0/cache"
+    is_bind: true
+    rw: false
+}
+
+mount {
+    src: "/sys/devices/system/cpu/cpu1/topology"
+    dst: "/sys/devices/system/cpu/cpu1/topology"
+    is_bind: true
+    rw: false
+    mandatory: false
+}
+
+mount {
+    src: "/sys/devices/system/cpu/cpu1/cache"
+    dst: "/sys/devices/system/cpu/cpu1/cache"
+    is_bind: true
+    rw: false
+    mandatory: false
+}
+
+mount {
+    src: "/sys/devices/system/node/online"
+    dst: "/sys/devices/system/node/online"
+    is_bind: true
+    rw: false
+    mandatory: false
+}
+
+mount {
+    src: "/sys/devices/system/node/possible"
+    dst: "/sys/devices/system/node/possible"
+    is_bind: true
+    rw: false
+    mandatory: false
+}
+
+mount {
+    src: "/sys/devices/system/node/node0/cpumap"
+    dst: "/sys/devices/system/node/node0/cpumap"
+    is_bind: true
+    rw: false
+    mandatory: false
+}
+
+mount {
+    src: "/sys/devices/system/node/node0/distance"
+    dst: "/sys/devices/system/node/node0/distance"
+    is_bind: true
+    rw: false
+    mandatory: false
+}
+# End hwloc support
+###
+
 mount {
    src: "/cefs"
    dst: "/cefs"